secureCodeBox · SebieF · Sep 29, 2021 · Sep 29, 2021 · Sep 30, 2021 · Sep 30, 2021
diff --git a/scanners/cmseek/Chart.yaml b/scanners/cmseek/Chart.yaml
@@ -1,40 +1,27 @@
 # SPDX-FileCopyrightText: 2021 iteratec GmbH
 #
 # SPDX-License-Identifier: Apache-2.0
+
 apiVersion: v2
 name: cmseek
 description: A Helm chart for the Joomla security scanner that integrates with the secureCodeBox
 
-# A chart can be either an 'application' or a 'library' chart.
-#
-# Application charts are a collection of templates that can be packaged into versioned archives
-# to be deployed.
-#
-# Library charts provide useful utilities or functions for the chart developer. They're included as
-# a dependency of application charts to inject those utilities and functions into the rendering
-# pipeline. Library charts do not define any templates and therefore cannot be deployed.
 type: application
 # version - gets automatically set to the secureCodeBox release version when the helm charts gets published
 version: v3.1.0-alpha1
-# This is the version number of the application being deployed. This version number should be
-# incremented each time you make changes to the application. Versions are not expected to
-# follow Semantic Versioning. They should reflect the version the application is using.
-# It is recommended to use it with quotes.
 appVersion: "1.1.3"
 kubeVersion: ">=v1.11.0-0"
-keywords:  
+
+keywords:
   - security
   - cmseek
   - Joomla
   - scanner
   - secureCodeBox
-
 home: https://docs.securecodebox.io/docs/scanners/cmseek
 icon: https://docs.securecodebox.io/img/integrationIcons/Default.svg
-
 sources:
   - https://github.com/secureCodeBox/secureCodeBox
-
 maintainers:
   - name: iteratec GmbH
-  - email: [email protected]  
+    email: [email protected]
diff --git a/scanners/cmseek/parser/__testFiles__/test-empty-report.json b/scanners/cmseek/parser/__testFiles__/test-empty-report.json
@@ -0,0 +1 @@
+[]
diff --git a/scanners/cmseek/parser/__testFiles__/test-empty-report.json.license b/scanners/cmseek/parser/__testFiles__/test-empty-report.json.license
@@ -0,0 +1,3 @@
+SPDX-FileCopyrightText: 2021 iteratec GmbH
+
+SPDX-License-Identifier: Apache-2.0
diff --git a/scanners/cmseek/parser/parser.test.js b/scanners/cmseek/parser/parser.test.js
@@ -50,4 +50,16 @@ test("parser parses result of non-Joomla scan successfully", async () => {
   const findings = await parse(JSON.parse(fileContent));
   await expect(validateParser(findings)).resolves.toBeUndefined();
   expect(findings).toMatchSnapshot();
-});
+});
+
+test("should properly parse empty cmseek json file", async () => {
+  const jsonContent = await readFile(
+    __dirname + "/__testFiles__/test-empty-report.json",
+    {
+      encoding: "utf8",
+    }
+  );
+  const findings = await parse(jsonContent);
+  await expect(validateParser(findings)).resolves.toBeUndefined();
+  expect(findings).toMatchInlineSnapshot(`Array []`);
+});
diff --git a/scanners/cmseek/templates/cascading-rules.yaml b/scanners/cmseek/templates/cascading-rules.yaml
@@ -1,12 +1,15 @@
 # SPDX-FileCopyrightText: 2021 iteratec GmbH
 #
 # SPDX-License-Identifier: Apache-2.0
+
 # We only want to import the default cascading rules if they are enabled
 {{ if .Values.cascadingRules.enabled }}
+# The CascadingRules are not directly in the /templates directory as their curly bracket syntax clashes with helms templates ... :(
+# We import them as raw files to avoid these clashes as escaping them is even more messy
 {{ range $path, $_ :=  .Files.Glob  "cascading-rules/*" }}
 # Include File
 {{ $.Files.Get $path }}
 # Separate multiple files
 ---
 {{ end }}
-{{ end }}
+{{ end }}
diff --git a/scanners/cmseek/templates/cmseek-parse-definition.yaml b/scanners/cmseek/templates/cmseek-parse-definition.yaml
@@ -9,7 +9,6 @@ metadata:
 spec:
   image: "{{ .Values.parser.image.repository }}:{{ .Values.parser.image.tag | default .Chart.Version }}"
   imagePullPolicy: {{ .Values.parser.image.pullPolicy }}
-
   ttlSecondsAfterFinished: {{ .Values.parser.ttlSecondsAfterFinished }}
   env: 
     {{- toYaml .Values.parser.env | nindent 4 }}
diff --git a/scanners/cmseek/templates/cmseek-scan-type.yaml b/scanners/cmseek/templates/cmseek-scan-type.yaml
@@ -1,10 +1,11 @@
 # SPDX-FileCopyrightText: 2021 iteratec GmbH
 #
 # SPDX-License-Identifier: Apache-2.0
+
 apiVersion: "execution.securecodebox.io/v1"
 kind: ScanType
 metadata:
-  name: "cmseek"
+  name: "cmseek{{ .Values.scanner.nameAppend | default ""}}"
 spec:
   extractResults:
     type: cmseek-json

diff --git a/scanners/cmseek/values.yaml b/scanners/cmseek/values.yaml
@@ -11,6 +11,7 @@ parser:
     tag: null
     # -- Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
     pullPolicy: IfNotPresent
+
   # parser.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/
   ttlSecondsAfterFinished: null
   # parser.env -- Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/)
@@ -28,12 +29,11 @@ scanner:
   # scanner.nameAppend -- append a string to the default scantype name.
   nameAppend: null
 
-  # scanner.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/
+  # -- seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/
   ttlSecondsAfterFinished: null
   # -- There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup)
   activeDeadlineSeconds: null
-
-  # scanner.backoffLimit -- There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy)
+  # -- There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy)
   # @default -- 3
   backoffLimit: 3
 
@@ -60,7 +60,19 @@ scanner:
   extraContainers: []
 
   # scanner.securityContext -- Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)
-  securityContext: {}
+  securityContext:
+    # scanner.securityContext.runAsNonRoot -- Enforces that the scanner image is run as a non root user
+    runAsNonRoot: true
+    # scanner.securityContext.readOnlyRootFilesystem -- Prevents write access to the containers file system
+    readOnlyRootFilesystem: false
+    # scanner.securityContext.allowPrivilegeEscalation -- Ensure that users privileges cannot be escalated
+    allowPrivilegeEscalation: false
+    # scanner.securityContext.privileged -- Ensures that the scanner container is not run in privileged mode
+    privileged: false
+    capabilities:
+      drop:
+        # scanner.securityContext.capabilities.drop[0] -- This drops all linux privileges from the container.
+        - all
 
 cascadingRules:
   # cascadingRules.enabled -- Enables or disables the installation of the default cascading rules for this scanner
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		SPDX-FileCopyrightText: 2021 iteratec GmbH

		SPDX-License-Identifier: Apache-2.0